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Abstract 

In this paper we consider the specification and verification of infinite-state systems using temporal 
logic. In particular, we describe parameterised systems using a new variety of first-order temporal logic 
that is both powerful enough for this form of specification and tractable enough for practical deductive 
verification. Importantly, the power of the temporal language allows us to describe (and verify) asyn- 
chronous systems, communication delays and more complex properties such as liveness and fairness 
properties. These aspects appear difficult for many other approaches to infinite-state verification. 

1 Introduction 

First-order temporal logic (FOTL) has been shown to be a powerful formalism for expressing sophisticated 
dynamic properties. Unfortunately, this power also leads to strong intractability. Recently, however, a 
fragment of FOTL, called monodic FOTL, has been investigated, both in terms of its theoretical [24, 22] 
and practical [7, 26, 25] properties. Essentially, monodicity allows for one free variable in every temporal 
formula. Although clearly restrictive, this fragment has been shown to be useful in expressive description 
logics, infinite-state verification, and spatio-temporal logics [3, 31, 27, 20, 19]. 

We here develop a new temporal logic, combining decidable fragments of monodic FOTL [24] with 
recent developments in XOR temporal logics [14], and apply this to the verification of parameterised sys- 
tems. We use a communicating finite state machine model of computation, and can specify not only basic 
synchronous, parameterised systems with instantaneous broadcast communication [17], but the powerful 
temporal language allows us also to specify asynchronously executing machines and more sophisticated 
communication properties, such as delayed delivery of messages. In addition, and in contrast to many other 
approaches [29, 10, 2], not only safety, but also liveness and fairness properties, can be verified through 
automatic deductive verification. Finally, in contrast to work on regular model checking [1] and constraint 
based verification using counting abstraction [17], the logical approach is both complete and decidable. 

The verification of concurrent systems often comes down to the analysis of multiple finite-state au- 
tomata, for example of the following form. 
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In describing such automata, both automata-theoretic and logical approaches may be used. While temporal 
logic [16] provides a clear, concise and intuitive description of the system, automate-theoretic techniques 
such as model checking [6] have been shown to be more useful in practice. Recently, however, a proposi- 
tional, linear- time temporal logic with improved deductive properties has been introduced [13, 14], provid- 
ing the possibility of practical deductive verification in the future. The essence of this approach is to provide 
an XOR constraint between key propositions. These constraints state that exactly one proposition from a 
XOR set can be true at any moment in time. Thus, the automaton above can be described by the following 
clauses which are implicitly in the scope of a ' ('always in the future') operator. 



Here 'O' is a temporal operator denoting 'at the next moment' and 'start' is a temporal operator which 
holds only at the initial moment in time. The inherent assumption that at any moment in time exactly one of 
s a , Sb, St or s w holds, is denoted by the following. 



With the complexity of the decision problem (regarding s a , s&, etc) being polynomial, then the properties of 
any finite collection of such automata can be tractably verified using this propositional XOR temporal logic. 

However, one might argue that this deductive approach, although elegant and concise, is still no better 
than a model checking approach, since it targets just finite collections of (finite) state machines. Thus, 
this naturally leads to the question of whether the XOR temporal approach can be extended to first-order 
temporal logics and, if so, whether a form of tractability still applies. In such an approach, we can consider 
infinite numbers of finite-state automata (initially, all of the same structure). Previously, we have shown that 
FOTL can be used to elegantly specify such a system, simply by assuming the argument to each predicate 
represents a particular automaton [19]. Thus, in the following s a (X) is true if automaton X is in state s a - 
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start => st 

s t ^0(s t y s a ) 



Sb => Os t 

£>a = t > O $w 



Sw 0{S W V S b ) 



U{s a ® S b ® S t ® S W ) 



1. start =>■ 3x.st(x) 

2. Vx. (s t (x) O (s t (x) V s a (x))) 

3. Vx. (s b (x) Ost(x)) 

4. Vx. (s a (x) =4> Os w (x)) 

5. Vx. (s w (x) => 0{s w (x) V s b (x))) 
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Thus, FOTL can be used to specify and verify broadcast protocols between synchronous components [17]. 
In this paper we define a logic, FOTLX, which allows us to not only to specify and verify systems of 
the above form, but also to specify and verify more sophisticated asynchronous systems, and to carry out 
verification with a reasonable complexity. 

2 FOTLX 

2.1 First- Order Temporal Logic 

First-Order (discrete, linear time) Temporal Logic, FOTL, is an extension of classical first-order logic with 
operators that deal with a discrete and linear model of time (isomorphic to the Natural Numbers, N). 

Syntax. The symbols used in FOTL are 

• Predicate symbols: Pq, P±, . . . each of which is of a fixed arity (null-ary predicate symbols are propo- 
sitions); 

• Variables: xq, x±, . . .; 

• Constants: cq , c\ , . . . ; 

• Boolean operators: A, V, =>, =, true ('true'), false ('false'); 

• First-order Quantifiers: V ('for all') and 3 ('there exists'); and 

• Temporal operators: □ ('always in the future'), ('sometime in the future'), O ('at the next mo- 
ment'), U (until), W (weak until), and start (at the first moment in time). 

Although the language contains constants, neither equality nor function symbols are allowed. 
The set of well-formed FOTL-formulae is defined in the standard way [24, 7]: 

• Booleans true and false are atomic FOTL-formulae; 

• if P is an n-ary predicate symbol and ij, 1 < i < n, are variables or constants, then P{t\, . . . , t n ) is 
an atomic FOTL-formula; 

• if (j) and ip are FOTL-formulae, so are -«p, <f) A ifi, <ft V ip, (j> => ifi, and 4> = tp; 

• if is an FOTL-formula and x is a variable, then Mx4> and 3xcf> are FOTL-formulae; 

• if and ip are FOTL-formulae, then so are □ <p, <)<p, O 4>, 4> U ip, (j) W ip, and start. 
A literal is an atomic FOTL-formula or its negation. 
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Figure 1: Semantics of FOTL. 

Semantics, Intuitively, FOTL formulae are interpreted in first-order temporal structures which are se- 
quences 9Jt of worlds, STJt = WIq, SDti, . . . with truth values in different worlds being connected via temporal 
operators. 

More formally, for every moment of time n > 0, there is a corresponding first-order structure, 9Jt n = 
(D n , I n ), where every D n is a non-empty set such that whenever n < m, D n C D m , and I n is an interpre- 
tation of predicate and constant symbols over D n . We require that the interpretation of constants is rigid. 
Thus, for every constant c and all moments of time i, j > 0, we have Ij(c) = Ij(c). 

A (variable) assignment is a function from the set of individual variables to U n& ^D n . We denote the 
set of all assignments by 53. The set of variable assignments 53 n corresponding to Wl n is a subset of the set 
of all assignments, 33 n = {0 6 53 | a(x) £ D n for every variable x}; clearly, Q3 n C 23 m if n < to. 

The ?rw?/2 relation 9Jt n |= a in a structure SDT, is denned inductively on the construction of <p~ only for 
those assignments a that satisfy the condition a £ 53 n . See Fig. 1 for details. SPT is a model for a formula 
(or is true in 9Jt) if, and only if, there exists an assignment a in Dq such that Tlo \= a (p. A formula is 
satisfiable if, and only if, it has a model. A formula is valid if, and only if, it is true in any temporal structure 
9JT under any assignment a in Dq. 

The models introduced above are known as models with expanding domains since D n C D n+ \. Another 
important class of models consists of models with constant domains in which the class of first-order temporal 
structures, where FOTL formulae are interpreted, is restricted to structures 9JT = (D n ,I n ), n € N, such 
that Di = Dj for all i,j € N. The notions of truth and validity are defined similarly to the expanding 
domain case. It is known [32] that satisfiability over expanding domains can be reduced to satisfiability over 
constant domains with only a polynomial increase in the size of formulae. 
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2.2 Monodicity and Monadicity 



The set of valid formulae of FOTL is not recursively enumerable. Furthermore, it is known that even 
"small" fragments of FOTL, such as the two-variable monadic fragment (where all predicates are unary), 
are not recursively enumerable [30, 24]. However, the set of valid monodic formulae is known to be finitely 
axiomatisable [33]. 

Definition 1 An FOTL-formula (p is called monodic if, and only if, any subformula of the form Tip, where 
T is one ofO, Q, (or ipiT^, where T is one of U , W ), contains at most one free variable. 

We note that the addition of either equality or function symbols to the monodic fragment generally leads to 
the loss of recursive enumerability [33, 8, 22]. Thus, monodic FOTL is expressive, yet even small exten- 
sions lead to serious problems. Further, even with its recursive enumerability, monodic FOTL is generally 
undecidable. To recover decidability, the easiest route is to restrict the first order part to some decidable 
fragment of first-order logic, such as the guarded, two-variable or monadic fragments. We here choose the 
latter, since monadic predicates fit well with our intended application to parameterised systems. Recall that 
monadicity requires that all predicates have arity of at most '1'. Thus, we use monadic, monodic FOTL [7]. 

A practical approach to proving monodic temporal formulae is to use fine-grained temporal resolu- 
tion [26], which has been implemented in the theorem prover TeMP [25]. In the past, TeMP has been 
successfully applied to problems from several domains [21], in particular, to examples specified in the 
temporal logics of knowledge (the fusion of prepositional linear-time temporal logic with multi-modal 
S5) [15, 11, 13]. From this work it is clear that monodic first-order temporal logic is an important tool 
for specifying complex systems. However, it is also clear that the complexity, even of monadic monodic 
first-order temporal logic, makes this approach difficult to use for larger applications [21, 19]. 

2.3 XOR Restrictions 

An additional restriction we make to the above logic involves implicit XOR constraints over predicates. Such 
restrictions were introduced into temporal logics in [13], where the correspondence with Biichi automata 
was described, and generalised in [14]. In both cases, the decision problem is of much better (generally, 
polynomial) complexity than that for the standard, unconstrained, logic. However, in these papers only 
propositional temporal logic was considered. We now add such an XOR constraint to FOTLX. 

The set of predicate symbols II = {Pq, Pi, . . .}, is now partitioned into a set of XOR-sets, X\, X 2 , ■ ■ ., 
X n , with one non-XOR set N such that 

1. all Xi are disjoint with each other, 

2. N is disjoint with every Xi, 



4. for each Xi, exactly one predicate within Xi is satisfied (for any element of the domain) at any moment 
in time. 

Example 1 Consider the formula 



where {Pi,^} f= X\ and {P4, P7, Ps} Q X2. The above formula states that, for any element of the 
domain, a, then one of Pi(a) or P2(a) must be satisfied and one ofP^a), i"V(a) or Ps(a) must be satisfied. 



n 




3=0 



Vx. ((Pi (:c) V P 2 [x)) A (P 4 (x) V P 7 (x) V P 8 (x))) 
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2.4 Normal Form 



To simplify our description, we will define a normal form into which FOTLX formulae can be translated. In 
the following: 

A 

• X^j (x) denotes a conjunction of negated XOR predicates from the set Xf, 

V , 

• X^(x) denotes a disjunction of (positive) XOR predicates from the set Xi, 

A 

• Ni(x) denotes a conjunction of non-XOR literals; 

V 

• Ni(x) denotes a disjunction of non-XOR literals. 
A step clause is defined as follows: 

X^A.-.X-^AN^x)^ 

0(X+(x)V ...V X+{x)V Nj(x)) 

A monadic temporal problem in Divided Separated Normal Form (DSNF) [7] is a quadruple (U,I,S,£), 
where: 

1. the universal part, U, is a finite set of arbitrary closed first-order formulae; 

2. the initial part, Z, is, again, a finite set of arbitrary closed first-order formulae; 

3. the step part, S, is a finite set of step clauses; and 

4. the eventuality part, f , is a finite set of eventuality clauses of the form ()L(x), where L(x) is a unary 
literal. 

In what follows, we will not distinguish between a finite set of formulae X and the conjunction j\ X of 
formulae within the set. With each monodic temporal problem, we associate the formula 

IADWA DVxS A DVsf. 

Now, when we talk about particular properties of a temporal problem (e.g., satisfiability, validity, logical 
consequences etc) we mean properties of the associated formula. 

Every monodic FOTLX formula can be translated to the normal form in satisfiability preserving way 
using a renaming and unwinding technique which substitutes non-atomic subformulae and replaces temporal 
operators by their fixed point definitions as described, for example, in [18]. A step in this transformation 
is the following: We recursively rename each innermost open subformula whose main connective 
is a temporal operator, by P(-(x), where P^m is a new unary predicate, and rename each innermost closed 
subformula £, whose main connective is a temporal operator, by p^, where p^ is a new prepositional variable. 
While renaming introduces new, non-XOR predicates and propositions, practical problems stemming from 
verification are nearly in the normal form, see Section 3. 

2.5 Complexity 

First-order temporal logics are notorious for being of a high complexity. Even decidable sub-fragments 
of monodic first-order temporal logic can be too complex for practical use. For example, satisfiability 
of monodic monadic FOTL logic is known to be EXPSPACE-complete [23]. However, imposing XOR 
restrictions we obtain better complexity bounds. 
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Theorem 1 Satisfiability of monodic monadic FOTLX formulae (in the normal form) can be decided in 

2 0(N 1 -N 2 -...-N n -2^) time> whem N ^___ t Nn 

are cardinalities of the sets ofXOR predicates, and N a is the 

cardinality of the set ofnon-XOR predicates. 

Before we sketch the proof of this result, we show how the XOR restrictions influence the complexity of the 
satisfiability problem for monadic first-order (non-temporal) logic. 

Lemma 2 Satisfiability of monadic first-order formulae can be decided in NTime(0(n-iVi • N 2 ■ . . . • N n ■ 2 Na )), 
where n is the length of the formula, and N\,. .. , N n , N a are as in Theorem 1. 

Proof As in [4], Proposition 6.2.9, the non-deterministic decision procedure first guesses a structure and 
then verifies that the structure is a model for the given formula. It was shown, [4], Proposition 6.2.1, Exercise 
6.2.3, that if a monadic first-order formula has a model, it also has a model, whose domain is the set of all 
predicate colours. A predicate colour, 7, is a set of unary literals such that for every predicate P(x) from the 
set of all predicates X\ U . . . , X n U N, either P(x) or ->P(x) belongs to 7. Notice that under the conditions 
of the lemma, there are at most N± ■ N 2 ■ ■ ■ ■ ■ N n • 2 Na different predicate colours. Hence, the structure to 
guess is of 0(Nt ■ N 2 ■ . . . ■ N n ■ 2 Na ) size. 

It should be clear that one can evaluate a monadic formula of the size n in a structure of the size 
0(Ni ■ N 2 ■ ■ ■ ■ ■ N n ■ 2 Na ) in deterministic 0(n ■ Ni_ ■ N 2 ■ . . . ■ N n ■ 2 Na ) time. Therefore, the overall 
complexity of the decision procedure is NTime(0(n ■ N\ ■ N 2 ■ . . . ■ N n ■ 2 ")). □ 

Proof [of Theorem 1, Sketch] For simplicity of presentation, we assume the formula contains no proposi- 
tions. Satisfiability of a monodic FOTL formula is equivalent to a property of the behaviour graph for the 
formula, checkable in time polynomial in the product of the number of different predicate colours and the 
size of the graph, see [7], Theorem 5.15. For unrestricted FOTL formulae, the size of the behaviour graph is 
double exponential in the number of predicates. We estimate now the size of the behaviour graph and time 
needed for its construction for FOTLX formulae. 

Let T be a set of predicate colours and p be a map from the set of constants, const(P), to F. A couple 
(r, p) is called a colour scheme. Nodes of the behaviour graph are colour schemes. Clearly, there are no 
more than 2°( Nl ' N2 '—' Nn ' 2 °) different colour schemes. However, not every colour scheme is a node of 
the behaviour graph: a colour scheme C is a node if, and only if, a monadic formula of first-order (non- 
temporal) logic, constructed from the given FOTLX formula and the colour scheme itself, is satisfiable (for 
details see [7]). A similar first-order monadic condition determines which nodes are connected with edges. 
It can be seen that the size of the formula is polynomial in both cases. By Lemma 2, satisfiability of monadic 
first-order formulae can be decided in deterministic 2°( Nl ' N2 '---' Nn ' 2 a ) time. 

Overall, the behaviour graph, representing all possible models, for an FOTLX formula can be con- 
structed in 2 °W-JV 2 ,.,iV„.2^) time ^ a 

3 Infinite-State Systems 

In previous work, notably [17,9] a parameterised finite state machine based model, suitable for the specifi- 
cation and verification of protocols over arbitrary numbers of processes was defined. Essentially, this uses 
a family of identical, and synchronously executing, finite state automata with a rudimentary form of com- 
munication: if one automaton makes a transition (an action) a, then it is required that all other automata 
simultaneously make a complementary transition (reaction) a. In [19] we translated this automata model 
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into monodic FOTL and used automated theorem proving in that logic to verify parameterised cache coher- 
ence protocols [10]. The model assumed not only synchronous behaviour of the communicating automata, 
but instantaneous broadcast. 

Here we present a more general model suitable for specification of both synchronous and asynchronous 
systems (protocols) with (possibly) delayed broadcast and give its faithful translation into FOTLX. This 
not only exhibits the power of the logic but, with the improved complexity results of the previous section, 
provides a route towards the practical verification of temporal properties of infinite state systems. 

3.1 Process Model 

We begin with a description of both the asynchronous model, and the delayed broadcast approach. 
Definition 2 (Protocol) A protocol, P is a tuple (Q, I, S, r), where 

• Q is a finite set of states; 

• I Q Q is a set of initial states; 

• S = Y*l U Sm U £ m, where 

— is a finite set of local actions; 

— Y>m is a finite set of broadcast actions, 
i.e. "send a message"; 

— Sjvj = {(7 | a G £m} is the set of broadcast reactions, i.e. "receive a message"; 

• TQQxTixQisa transition relation that satisfies the following property 

Va G E M - Vq G Q. V G Q. (q,a,q') £ r 
i.e., "readiness to receive a message in any state". 

Further, we define a notion of global machine, which is a set of n finite automata, where n is a parameter, 
each following the protocol and able to communicate with others via (possibly delayed) broadcast. To model 
asynchrony, we introduce a special automaton action, idle S, meaning the automaton is not active and 
so its state does not change. At any moment an arbitrary group of automata may be idle and all non-idle 
automata perform their actions in accordance with the transition function r; different automata may perform 
different actions. 

Definition 3 (Asynchronous Global Machine) Given a protocol, V = (Q,J, E,r), the global machine 
M.Q of dimension n is the tuple (Qmg^Mg t Mg^)' where 

• Qm g = Q n 

• iMo = I n 

• t Mg — Qmg x (E U {idle}) n x Qmg ^ a transition relation that satisfies the following property 

{{s 1 ,...,s n ),{a 1 ,...o- n ),{s' 1 ,...,s' n )) G t Mg 
iff 

VI < i < n. [(crj ^ idle (sj, cxj, s^} G r) 
A(<Tj = idle => Si = s'j] . 
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• 6 = 2 M is a communication environment, that is a set of possible sets of messages in transition. 

An element G G Qmg x U {idle}) n x 6 is said to be a global configuration of the machine. 

A run of a global machine M.q is a possibly infinite sequence (s , a , E\) . . . (s 1 , a 1 , Ej) . . . of global 
configurations of satisfying the properties (l)—(6) listed below. In this formulation we assume s l = 
(s[, . . . , 4) and a 1 = (a\, . . . , <). 

1. s 1 g r 

("initially all automata are in initial states"); 

2. E 1 = fH 

("initially there are no messages in transition" ); 

3. Vi (s>\s m > G t Mg 

("an arbitrary part of the automata can fire"; 

4. Va G S M - Vi. Vj. ((a) = a) Vfc. 31 > i. (a l k = a)) 
("delivery to all participants is guaranteed"); 

5. Va G Sm- Vi. Vj. [(er*. = a) => (a G Ei) V 3k. a\ = a)] ("one can receive only messages kept by 
the environment, or sent at the same moment of time ") 



In order to formulate further requirements we introduce the following notation: 

Senti = {a G £m I 3j. a l j = a} 

Delivered}- = 

a G Sm 



3i < k. (a G Senti) A 
(VZ. (i < Z < fc) -> a S"ent;) A 



(Vj.3Z. (i < I < k) A (aj = a)) 



r/jen, f/je Za^f requirement the run should satisfy is 
6. Vi. -Ej+i = (.Ej U Senti) — Deliveredi 



Example: Asynchronous Floodset Protocol. We illustrate the use of the above model by presenting the 
specification of an asynchronous FloodSet protocol in our model. This is a variant of the FloodSet algorithm 
with alternative decision rule (in terms of [28], p. 105) designed for solution of the Consensus problem. 

The setting is as follows. There are n processes, each having an input bit and an output bit. The processes 
work asynchronously, run the same algorithm and use broadcast for communication. The broadcasted 
messages are guaranteed to be delivered, though possibly with arbitrary delays. (The process is described 
graphically in Fig. 2.) 

The goal of the algorithm is to eventually reach an agreement, i.e. to produce an output bit, which would 
be the same for all processes. It is required also that if all processes have the same input bit, that bit should 
be produced as an output bit. 

The asynchronous FloodSet protocol we consider here is adapted from [28]. Main differences with 
original protocol are: 

• the original protocol was synchronous, while our variant is asynchronous; 
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Figure 2: Asynchronous FloodSet Protocol Process. 

• the original protocol assumed instantaneous message delivery, while we allow arbitrary delays in 
delivery; and 

• although the original protocol was designed to work in the presence of crash (or fail-stop) failures, we 
assume, for simplicity, that there are no failures. 

Because of the absence of failures the protocol is very simple and unlike the original one does not require 
"retransmission" of any value. We will show later (in Section 3.3) how to include the case of crash failures 
in the specification (and verification). Thus, the asynchronous FloodSet protocol is defined, informally, as 
follows. 

• At the first round of computations, every process broadcasts its input bit. 

• At every round the (tentative) output bit is set to the minimum value ever seen so far. 

The correctness criterion for this protocol is that, eventually, the output bits of all processes will be the same. 

Now we can specify the asynchronous FloodSet as a protocol (Q,I, S,r), where Q = {io, i±, oq, 01}; 
I = {io,h}; E = S m U S m U Si with S m = {0, 1}, S m = {0, !}, S L = 0. The transition relation 

t = {(i ,0,o ), (o ,0,o ), (o ,l,o ), (ii,l,oi), (oi,0,o ), (oi,I,oi)}. 

3.2 Temporal Translation 

Given a protocol V = (Q, I, X, r), we define its translation to FOTLX as follows. 

For each q € Q, introduce a monadic predicate symbol P q and for each a G £ U {idle} introduce a monadic 
predicate symbol A a . For each a G Em we introduce also a propositional symbol m a . 

Intuitively, elements of the domain in the temporal representation will represent exemplars of finite 
automata, and the formula P q (x) is intended to represent "automaton x is in state q". The formula A a (x) is 
going to represent "automaton x performs action a". Proposition m a will denote the fact "message a is in 
transition" (i.e. it has been sent but not all participants have received it.) 

Because of intended meaning we define two XOR-sets: X\ = {P q \ q S Q} and X2 = {A a \ a € 
S U {idle}}. All other predicates belong to the set of non-XOR predicates. 
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I. Each automaton either performs one of the actions available in its state, or is idle: 

□ [Vx. P g (x) -» A ai (x) V ...VA ak (x) VAweix)], where {a l ,...a k } = {a G £ | 3r(g,<r,r) G 

II. Action effects (non-deterministic actions): QfVxi-^x) A v4 CT (a;) — > O \f ^ q ar ^ er P r (x)] for all 
<7 G 5 and cr G X. 

IH. Effect of being idle: □ [VxP g (x) A yli dZe (x) OP g (x)], for all g G S 

IV. Initially there are no messages in the transition and all automata are in initial states: start — > -im a 
for all a G £ m and start — > Vx \J qeI P q {x). 

V. All messages are eventually received (Guarantee of Delivery): EJ[3yA a (y) — > Vx§A&(x)], for 
all a G S m . 

VI. Only messages kept in the environment (are in transition), or sent at the same moment of time can 
be received: □ [\/xA^(x) — > m a V 3yA a (y)] for all a G £ m . 

VII. Finally, for all a G S m , we have the conjunction of the following formulae: 

1. start — > Vx. ^Received a (x) 

2. LJIVx. (A&(x) A -Ny. Received a (y)) — > O Received a (x)] 

3. □ [Vx. (Received a (x) A -Ny. Received a (y) — » OReceived a (x)] 

4. □ [Vx. (-i( J 4 5 -(x) V Received a (x)) A ->Vy. Received a (y)) — > Q>^Received a {x)] 

5. QfVx. Received a — > O -1 ?^] 

6. G[3x. -A CT (x) A ->Vy. Received a (y) — ► Om a ] 

7. □ [-Gx. A CT (x) A ~Vy. Received a (y) — > (m a <-> 0?tv] 



Figure 3: Temporal Specification of Abstract Protocol Structure. 

We define the temporal translation of "P, called T-p, as a conjunction of the formulae in Fig. 3. Note that, in 
order to define the temporal translation of requirement (6) above, (on the dynamics of environment updates) 
we introduce the unary predicate symbol Received^ for every a G S m . 

We now consider the correctness of the temporal translation. This translation of protocol V is faithful in the 
following sense. 

Proposition 1 Given a protocol, V, and a global machine, Mq, of dimension n, then any temporal model 
Mi, M2, ■ ■ ■ of T-p with the finite domain c\,...c n of size n represents some run (s , a l ,E\) . . . (s l , a 1 , Ej) . . 
of M.Q as follows: 

{(si, . . . , s n ), (ai, . . . , a n ), E) is i-th configuration of the run iff Mi \= P qi {c\) A . . . Pq n (c n ), Mi \= 
A ai {ci) A . ..A an (c n ) and E = {a G S m | Mi \= m a } 

Dually, for any run of A4q there is a temporal model of T-p with a domain of size n representing this 

run. 

Proof By routine inspection of the definitions of runs, temporal models and the translation. □ 
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3.3 Variations of the model 



The above model allows various modifications and corresponding version of Proposition 1 still holds. 

Determinism. The basic model allows non-deterministic actions. To specify the case of deterministic 
actions only, one should replace the "Action Effects" axiom in Fig. 3 by the following variant: 

□ [Vx. P q (x)AA a (x) -» OP r (x)] 

for all (q, a,r) € r 

Explicit bounds on delivery. In the basic mode, no explicit bounds on delivery time are given. To intro- 
duce bounds one has to replace the "Guarantee of Delivery" axiom with the following one: 

□ [3y. A a {y) Vx. OAsix) V OAt(x) V ... V O n A^(x)] 
for all a G S m and some n (representing the maximal delay). 

Finite bounds on delivery. One may replace the "Guarantee of Delivery" axiom with the following one 

□ [3y. A a (y) — > OVx. Receiveda{x)] 

for all a £ E m . 

Crashes. One may replace the "Guarantee of Delivery" axiom by an axiom stating that only the messages 
sent by normal (non-crashed) participants will be delivered to all participants. (See [19] for examples of 
such specifications in a FOTL context.) 

Guarded actions. One can also extend the model with guarded actions, where action can be performed 
depending on global conditions in global configurations. 

Returning to the FloodSet protocol, one may consider a variation of the asynchronous protocol suitable for 
resolving the Consensus problem in the presence of crash failures. We can modify the above setting as 
follows. Now, processes may fail and, from that point onward, such processes send no further messages. 
Note, however, that the messages sent by a process in the moment of failure may be delivered to an arbitrary 
subset of the non-faulty processes. 

The goal of the algorithm also has to be modified, so only non-faulty processes are required to eventually 
reach an agreement. Thus, the FloodSet protocol considered above is modified by adding the following rule: 

• At every round (later than the first), a process broadcasts any value the first time it sees it. 

Now, in order to specify this protocol the variation of the model with crashes should be used. The above 
rule can be easily encoded in the model and we leave it as an exercise for the reader. 

An interesting point here is that the protocol is actually correct under the assumption that only finitely 
many processes may fail. This assumption is automatically satisfied in our automata model, but not in 
its temporal translation. Instead, one may use the above Finite bounds on delivery axiom to prove the 
correctness of this variation of the algorithm. 
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3.4 Verification 



Now we have all the ingredients to perform the verification of parameterised protocols. Given a protocol V, 
we can translate it into a temporal formula T-p. For the temporal representation, x °f a required correctness 
condition, we then check whether Tp — > x i s valid temporal formula. If it is valid, then the protocol is 
correct for all possible values of the parameter (sizes). 

Correctness conditions can, of course, be described using any legal FOTLX formula. For example, for 
the above FloodSet protocol(s) we have a liveness condition to verify: 

0(Vx. o (x) Wi. oi(x)) 

or, alternatively 

. (Vx. Non- faulty (x) — > oq(x)) V 
(Vx. Non-faulty (x) — > o\(x)) 

in the case of a protocol working in presence of processor crashes. 

While space precludes describing many further conditions, we just note that, in [19], we have demon- 
strated how this approach can be used to verify safety properties, i.e with x = \34>- Since we have the 
power of FOTLX, but with decidability results, we can also automatically verify fairness formulae of the 
form x = 

4 Concluding Remarks 

In the propositional case, the incorporation of XOR constraints within temporal logics has been shown to be 
advantageous, not only because of the reduced complexity of the decision procedure (essentially, polynomial 
rather than exponential; [14]), but also because of the strong fit between the scenarios to be modelled (for 
example, finite-state verification) and the XOR logic [13]). The XOR constraints essentially allow us to 
select a set of names/propositions that must occur exclusively. In the case of verification for finite state 
automata, we typically consider the automaton states, or the input symbols, as being represented by such 
sets. Modelling a scenario thus becomes a problem of engineering suitable (combinations of) XOR sets. 

In this paper, we have developed an XOR version of FOTL, providing: its syntax and semantics; con- 
ditions for decidability; and detailed complexity of the decision procedure. As well as being an extension 
and combination of the work reported in both [7] and [14], this work forms the basis for tractable temporal 
reasoning over infinite state problems. In order to motivate this further, we considered a general model 
concerning the verification of infinite numbers of identical processes. We provide an extension of the work 
in [19] and [1,2], tackling liveness properties of infinite-state systems, verification of asynchronous infinite- 
state systems, and varieties of communication within infinite-state systems. In particular, we are able to 
capture some of the more complex aspects of asynchrony and communication, together with the verification 
of more sophisticated liveness and fairness properties. 

The work in [19] on basic temporal specification such as the above have indeed shown that deduc- 
tive verification can here be attempted but is expensive — the incorporation of XOR provides significant 
improvements in complexity. 
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4.1 Related Work 



The properties of first-order temporal logics have been studied, for example, in [24, 23]. Proof methods for 
the monodic fragment of first order-temporal logics, based on resolution or tableaux have been proposed in 
[7, 26, 27]. 

Model checking for parameterised and infinite state-systems is considered in [1]. Formulae are translated 
into to a Biichi transducer with regular accepting states. Techniques from regular model checking are then 
used to search for models. This approach has been applied to several algorithms verifying safety properties 
and some liveness properties. 

Constraint based verification using counting abstractions [9, 10, 17], provides complete procedures for 
checking safety properties of broadcast protocols. However, such approaches 

• have theoretically non-primitive recursive upper bounds for decision procedures (although they work 
well for small, interesting, examples) — in our case the upper bounds are definitely primitive-recursive; 

• are not suitable (or, have not been used) for asynchronous systems with delayed broadcast — it is not 
clear how to adapt these methods for such systems; and 

• typically lead to undecidable problems if applied to liveness properties. 
4.2 Future Work 

Future work involves exploring further the framework described in this paper in particular the development 
of an implementation to prove properties of protocols in practice. Further, we would like to see if we can 
extend the range of systems we can tackle beyond the monodic fragment. 

We also note that some of the variations we might desire to include in Section 3.3 can lead to undecid- 
able fragments. However, for some of these variations, we have correct although (inevitably) incomplete 
methods, see [19]. We wish to explore these boundaries further. 
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